LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 05-04-2007, 07:12 PM   #1
tniemela
LQ Newbie
 
Registered: May 2007
Location: Finland
Distribution: Debian 6.0
Posts: 9

Rep: Reputation: 0
Post Free Linux Security scanner NiX


Hi all!

As topic says, this project is similar to chkrootkit etc. but does things pretty much with different method and more efficiently. Because project is new and needs more testers i desised announce it here also (i hope im not braking any rule on forum).

Tool is completely free and licensed under GNU GPL. Pretty detailed information can be found from project homepage and download of course.

http://nixsecurityscanner.com/

I published this project also on http://freshmeat.net/projects/nixsecscan/ (for those who dont know, excellent place get nearly any Linux etc. free software and you can publish your own projects there too)

Im working with it daily since it`s my main freelance project atm. I hope it will be useful.
 
Old 05-05-2007, 03:21 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603
i hope im not braking any rule on forum
It's a draw between Linux Security (as in reaching your audience) and News (where announcements should go) and I think it should be OK here.

Couple of questions though. Just interested OK, nothing else:

What reasons did you have to choose Zsh as shell over Bourne or Bourne Again?

What's the deal with Chkrootkit, Rootkit Hunter (CVS, not 1.2.9) and OSSEC that you choose to start another similar project instead of joining an existing project?

but does things pretty much with different method and more efficiently.
With what rootkits did you test your application?
Can you show us how much qualitatively "better" your app is at the detection of rootkits and hidden processes?
Why did you choose to release it with acompanying binaries but w/o means for us to verify their integrity?
 
Old 05-05-2007, 08:45 AM   #3
tniemela
LQ Newbie
 
Registered: May 2007
Location: Finland
Distribution: Debian 6.0
Posts: 9

Original Poster
Rep: Reputation: 0
>What reasons did you have to choose Zsh as shell over Bourne or >Bourne Again?

I have done various projects before and been always using Zsh. Mainly it`s just that i have used to use it. But according to my experience Zsh works better for example when you have to play with digits and with decimal points etc.

Also declaring variables/arrays works smoother. For some reason any larger script starts having problems with Bash sooner or later, but this problem always disappears with Zsh.

>What's the deal with Chkrootkit, Rootkit Hunter (CVS, not 1.2.9) >and OSSEC that you choose to start another similar project instead >of joining an existing project?

Main reason is that i have serious trouble "audit" another guy code.
I donīt mean that code is terrible and this is why but each one script and program with their own style ...

>but does things pretty much with different method and more >efficiently.

No offence but for example in chkrootkit, if you have system with a lot of short time processes (for example very active httpd) etc.
It will give you a lot of fakes about hidden pids even its using C program for that. There is not that problem in NiX.

If im honest, only an idiot will backdoor hacked shell with rootkit ... there is many way much lighter and smarter ways to do it.

As mentioned in NiX FAQīs...looking things from default locations
works only against "script kiddos who just desided setup first foudn public rk to the server". What then when its modified but never released as public?

>With what rootkits did you test your application?
>Can you show us how much qualitatively "better" your app is at the detection of rootkits and hidden processes?

So far few modified versions from different public rkīs what others cannot see.

Therefore itīs not any cheap copy from existing ones.

>Why did you choose to release it with acompanying binaries but >w/o means for us to verify their integrity?

Those binaries are from clean Debian 4.0 installation. Binaries what are from bin-utils etc. packages. Only way to solve this issue is include source packages for all needed binaries and make my script compile them statically for each shell...I donīt want to make my script modify anyone running system because of security checks...

You should also ask from other developers why they are providing precompiled binary installations for Mysql server etc. without mean for us to verify those bins integrity...

If you are too paranoid, then you can statically compile yourself into temp directory those bins and then run my program or not use it at all. Completely up to you.
 
Old 05-05-2007, 08:58 AM   #4
tniemela
LQ Newbie
 
Registered: May 2007
Location: Finland
Distribution: Debian 6.0
Posts: 9

Original Poster
Rep: Reputation: 0
Donīt get me wrong with my answer. Im not saying that im the best and my stuff is the best.

Unfortunately i neither can do 100% sure solution but atleast im trying my best.

Is not it more better to community that they have more scanners to chose from instead of counting blindly for few only
 
Old 05-06-2007, 03:26 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603Reputation: 2603
If im honest, only an idiot will backdoor hacked shell with rootkit ... there is many way much lighter and smarter ways to do it.
And NiX checks for those methods, right?


As mentioned in NiX FAQīs...looking things from default locations works only against "script kiddos who just desided setup first foudn public rk to the server". What then when its modified but never released as public?
And NiX covers those too?


>With what rootkits did you test your application?
>Can you show us how much qualitatively "better" your app is at the detection of rootkits and hidden processes?
So far few modified versions from different public rkīs what others cannot see.

Hmm. Would be good PR to throw in some details here. I mean all the others list what they can detect.


Only way to solve this issue is include source packages for all needed binaries and make my script compile them statically for each shell...I donīt want to make my script modify anyone running system because of security checks...
There's other ways like directing people to run it off of a Live CDR (doesn't go well for colo boxen) or use "trusted" static binaries (there's a few Incident Response / Security sites on the 'net that carry those). I'd also like to point out that if the "victim" machine is subverted in a way syscalls get rerouted, any process listings on a live system can't be trusted regardless the method used (except for doing a post-mortem, booting from a Live CD).


You should also ask from other developers why they are providing precompiled binary installations for Mysql server etc. without mean for us to verify those bins integrity...
Simple. If a packages (scripting and) contents can't be trusted I won't install and run it. Period.


If you are too paranoid, then you can statically compile yourself into temp directory those bins and then run my program
Auditing stuff means you don't assume things but question everything. There's nothing like "too paranoid" for that matter. Not that I would accuse you of anything, but for instance the fact your app doesn't use CLI switches and tries to "phone home" (update) w/o telling or way to disable it (other than local fw) is nice if you're into "dumbing it down" for newbie users, but not everyone's cup of tea.


Is not it more better to community that they have more scanners to chose from instead of counting blindly for few only
Sure, if it adds novel or better methods of detecting rootkits and malware others haven't thought of, then this is a good thing. Thanks for your answers, hope you get the attention to get the community involvement thing going. BTW, please view my remarks as constructive criticism, I'm too busy to try and tear your playhouse down.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
security scanner einstien Linux - Software 14 03-13-2005 01:53 PM
Nessus Security Scanner jbclarkman Mandriva 1 01-15-2005 10:34 PM
how security is imlemented in linux i.e. how do we say that it is virus free vinaymudgil007 Linux - Security 10 09-27-2004 10:53 AM
Internet Security Scanner? lemay_jeff Linux - Security 3 09-14-2004 07:54 AM


All times are GMT -5. The time now is 10:47 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration